|
Description:
As of March 7, 2005 3:05 AM (PST/GMT -8:00), TrendLabs has declared a Medium Risk alert to control the spread of this worm that is currently spreading in Korea and the United States.
To get a one-glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
Malware Overview
WORM_FATSO.A propagates in two ways: via MSN messenger and via eMule peer-to-peer file sharing application.
It spreads copies of itself to all online contacts of an affected system using the file transfer feature of MSN messenger. Accepting the transfer request downloads a copy of this worm into the recipient's system.
This worm also has the ability to propagate via eMule, a known peer-to-peer (P2P) file sharing application that has arguably overtaken other similar applications like KaZaA, Bearshare and Limewire. It drops copies of itself in the eMule shared folder of the affected system.
It is capable of redirecting infected users to a certain Web site, which as of this writing, is already not available. It does this whenever the user accesses Web sites that are associated with antivirus and security companies. It may also terminate certain running processes and prevent these processes from executing again while this worm is resident in memory.
This worm also opens a notable text file, which displays the following details:
Hey LARISSA fuck off, you fucking n00b!.. Bla bla to your fucking
Saving the world from Bropia, the world n33ds saving from you!
'-S-K-Y-'-D-E-V-I-L-'
This message is allegedly addressed to the author of WORM_ASSIRAL.A, self-proclaimed creator of anti-BROPIA worms. As a payload, WORM_ASSIRAL.A proclaimed that its author was "freeing the world from BROPIA". This worm was known to terminate BROPIA-related processes.
WORM_FATSO.A now insults the author of WORM_ASSIRAL, accusing him/her of being a "noob" (a "newbie", or an inexperienced person, specifically a programmer). This could be due to the fact that WORM_ASSIRAL used SMTP, a relatively "old" and conventional means of propagating worms.
Whether the authors of the BROPIA variants and WORM_FATSO.A are related, or one and the same person, remains to be seen. However, one thing is quite certain: MSN Instant Messenger (IM) worms are fast becoming the malware of choice among worm creators, and this can be attributed to the fact that the code for MSN propagation has already been posted in virus writers' forums.
Recent IM worms seem to be outdoing each other by having more functions, like bot capabilities and multi-propagation vectors. As such, IM worms exploiting known Windows vulnerabilities may be discovered in the near future.
For additional information about this threat, see:
Solution
Technical Details
Description created: Mar. 7, 2005 5:33:26 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
